h0ng10 / yubico-yubiserve

Automatically exported from code.google.com/p/yubico-yubiserve
GNU General Public License v3.0
0 stars 0 forks source link

Multiple SQL injection vulnerabilities #31

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
SQL statements are executed with user controlled values inserted. This allows 
for easy SQL injection attacks against the server.

Attached is a patch to correct them. It was only tested against sqlite3 so it 
should probably be tested against MySQL before being committed.

Also included in the patch is a change to the first line to use /usr/bin/env to 
make the script more portable. It can be dropped or added as a different patch 
if needed.

Original issue reported on code.google.com by Kenny.Ma...@gmail.com on 16 Aug 2013 at 7:24

Attachments:

GoogleCodeExporter commented 8 years ago
working on testing with sqlite and mysql.

Works with sqlite3, 

Seems to fail with sqlite.. so trying to figure out why.  I imagine it's when 
passing in an empty variable or something

Original comment by glen.ogilvie@gmail.com on 6 Sep 2013 at 8:01

GoogleCodeExporter commented 8 years ago
This patch is not compatible with sqlite and mysql, because the paramstyle is 
different on each of these databases, see:
http://www.python.org/dev/peps/pep-0249/#paramstyle

I am not sure the best way to resolve this yet.

>>> print MySQLdb.paramstyle
format
>>> import sqlite
>>> print sqlite.paramstyle
pyformat
>>> import sqlite3
>>> print sqlite3.paramstyle
qmark

Original comment by glen.ogilvie@gmail.com on 6 Sep 2013 at 9:13

GoogleCodeExporter commented 8 years ago
There seems to be a workaround to this here:
http://sourceforge.net/p/pydal/code/HEAD/tree/trunk/dal/dbapi/paramstyles.py

This converts from any paramstyle to any other paramstyle.

Original comment by stephan....@gmail.com on 27 Nov 2013 at 2:46